Following steps on handbook, won't take to solution, at least not clearly - Forum - OpenEdge Deployment - Progress Community

Following steps on handbook, won't take to solution, at least not clearly

 Forum

Following steps on handbook, won't take to solution, at least not clearly

  • Progress Application Server for OpenEdge: Administration Guide (SECURED) handbook,

    on page81, chapter :

    Configuring PAS for OpenEdge for SSL/TLS

    describes these steps to secure HTTPS security for server, by using SSL...

    3. Submit MyCert.pk10, the public key file, to a CA in order to request an SSL certificate.
    The CA returns both a private and a public (or ROOT) SSL certificate. The certificates are files, usually with
    either a .crt or a .cer extension. In this example, we'll call the files MyCertPriv.cer and
    MyCertPub.cer
    4. When the SSL certificates are received from the CA, copy them to the
    OpenEdge-Install-Dir\keys\requests directory.
    5. Generate a Privacy Enhance Mail (.pem) formatted file from the private SSL certificate (named
    MyCertPriv.cer in these examples) obtained from a CA.
    A PEM file is an encrypted file that contains key store information. You use the OpenEdge PKIUTIL
    command-line utility to generate the PEM file. You can find more information about the syntax and usage
    of PKIUTIL in OpenEdge Getting Started: Installation and Configuration.
    a) In PROENV, change directory to the PAS for OpenEdge instance's/conf directory.
    For example:
    proenv> cd C:\MyInstance\conf
    b) Use the -import option of PKIUTIL to generate the PEM file from the private SSL certificate.
    For example:
    proenv> pkiutil -import MySSLPrivKey
    OpenEdge-Install-Dir\keys\requests\MyCertPriv.cer
    Note: MySSLPrivKey is the stem filename of the PEM file that will be generated from MyCertPriv.cer.
    c) When prompted enter the password you used when you created the keystore (i.e. the .pk1 file) in Step
    2 on page 83.

    I get confused, as chatting with sectigo CA (former comodo) support they inform (and I could see) that
    the *.crt file they sent, is already in PEM format.

    On previous steps, STEP 5 should be done no matter the cert is alread PEM, or this sentence is missing somethig
    like "in case you get certificate in binary form, generat a PEM...."???

    Also, this step gets out of nowhere a reference to "MySSLPrivKey" which is not clear where did it came from..
    I know it clearly says:

    Note: MySSLPrivKey is the stem filename of the PEM file that will be generated from MyCertPriv.cer.

    but following instruction on creating this MySSLPrivKey file, gets an error :

    C:\Progress\OpenEdge\keys\requests>pkiutil -import MySSLPrivKey servicios_sucahersa_com.crt
    A private key for keystore entry MySSLPrivKey does not exist

    Assuming that I should avoid that step, as certificate is already on PEM format, go on to next steps to

    Configuring a PAS for OpenEdge instance for SSL/TLS

    Step 2 says to execute:

    proenv> cd C:\MyInstance\conf
    proenv> sslc pkcs12 -export C:\Progress\OpenEdge\keys\V.pem -out tomcat-keystore.p12
    -name mysslprivkey

    the "C:\Progress\OpenEdge\keys\V.pem" parts is a typo? I don´t have that file on my server... I know
    clearly we are digesting the previous confusing file in PEM format already , but on executing sslc, I get:

    C:\home\appsch\conf>sslc pkcs12 -export c:\progress\openedge\keys\requests\servicios_sucahersa_com.crt -out tomcat-keystore.p12 -name sch-ssl
    pkcs12: Use -help for summary.
    
    C:\home\appsch\conf>

    I checked documentation and it is 11.7 indeed, same as my platform...

    So this far, and haven't being able to secure server (pasoe 11.7.5)...

    Any tougths? 

  • This link goes to the extreme of over simplifying the issue...  so which one to follow?

    knowledgebase.progress.com/.../P109432

  • And then there is:

    documentation.progress.com/.../index.html

    oh my gosh....

  • "Configuring PAS for OpenEdge for SSL/TLS" is the one to follow for PASOE.

    knowledgebase.progress.com/.../P109432 - this is for classic appserver.

    documentation.progress.com/.../index.html - this is for securing OE Management, nothing to do with PASOE.

    There is definitely something wrong with the instructions in "Configuring PAS for OpenEdge for SSL/TLS".

    I'm looking into this now and will respond with my findings.

    PAUL J. CONNAUGHTON

    QA Engineer II, OE Core Database

    PROGRESS SOFTWARE CORPORATION

    DIRECT  +1 781 280 3064    |  MOBILE  +1 508 254 0465

  • Apologies for the delay. There are definitely issues with the documentation, which I will followup with our documentation team.

    I think this article describes the process best for PASOE. I tried this out with a self-signed certificate and it worked for me.

    knowledgebase.progress.com/.../How-to-configure-and-test-a-PASOE-instance-for-secure-communications

    PAUL J. CONNAUGHTON

    QA Engineer II, OE Core Database

    PROGRESS SOFTWARE CORPORATION

    DIRECT  +1 781 280 3064    |  MOBILE  +1 508 254 0465

  • Really thanks!!!!

    I'm checking the article you post, and comment afterwards.!

    Thanks!!!!